Having a solid payment processing platform is absolutely essential to doing business these days; in fact, you must actively promote the level of security to your prospective clients. This is because data breaches of major corporations are at an all-time high, and the consumer must be assured that you’re taking top-level precautions in safeguarding their data.
The Way Forward – PCI Compliance
The proper, legally-required method of accounting for consumer concerns about data breaches is set by the Data Security Standards (DSS) proffered by the Payment Card Industry (PCI). The tenets protect both the consumer and your business, and the standards are dependent on the volume of payment transactions you perform every year. Let’s take a look at the specifics of PCI Compliance.
First Level of PCI Compliance
This is the highest level of PCI Compliance, and so has the most stringent requirements. If you handle over 6 million transactions annually, your IT payment infrastructure will need to adhere to this level.
Furthermore, even if do not conduct business at this volume, if your company has suffered a serious data hack before, you’ll need this level of security going forward. All of this will be assessed by a security assessor each year, in addition to network scans that must be completed in-house four times a year. Generally, you’ll find huge companies such as PayPal, Google and Microsoft in possession of PCI Level 4 Compliance. They don’t have much downtime.
Second Level of PCI Compliance
If you conduct business transactions numbering between one and six million per year, then PCI Compliance Level 2 is the one to which you should adhere. One of the requirements is to fill out a questionnaire that deals with all the attributes of compliance at this level; it protects your company from liability in the event of a cyber-hack – as long as you limit your total number of credit card and bank account transactions to the prescribed range.
Third Level of PCI Compliance
At PCI Level 3 Compliance, your minimum number of annual credit card transactions should be 20,000, and your limit should be a million. You don’t need independent security assessors to drop by and peruse your Information Technology architecture or anything so intrusive; at this level, you just need to conduct in-house network scans each quarter. In case of a data breach, you will be audited to see if you’ve been conducting these scans; as such, your company should have the mindset that the scans are imperative.
Fourth Level of PCI Compliance
This is the lowest level of PCI Compliance – and is generally reserved for small to medium-sized businesses. If you conduct less than 20,000 credit card transactions every year, then compliance isn’t even necessary in most states – but it’s still a good idea for a measure of liability protection.
General Tips for PCI Compliance
It’s all about security and the confidence this gives your customers. At the most basic levels, this means that every workstation in your business should have antivirus and antimalware installed on the computers and printers. This is straightforward; but if you have a Bring Your Own Device culture in the office, protection against cyber-hacks must also extend to mobile devices and laptops.
Lastly, network security is a must. This means very strong passwords and limited access to your digital infrastructure. All of this falls under access control, and you should have either an in-house IT person, or outsource security to a capable company with an excellent track record and adequate IT contractors.
Need help monitoring your PCI compliance? A software such as ZenGRC by Reciprocity is a great way to manage compliance.